Cloud Foundry User Administration
In the third installation of our open source Cloud Foundry (CF) toolbox series we unveil CF-Users, a web based solution for managing Cloud Foundry user credentials and authorization. Enabling team collaboration and self-sufficiency is a core principal of Cloud Foundry, one which heavily relies on the concepts of Organizations, Spaces, and Roles. These built in mechanisms allow teams full access to manage roles and permissions without the chance of impacting other teams using the shared platform. This seemingly simple ability is increasingly vital as your organization grows, allowing more responsibility to be pushed to the teams themselves and reducing reliance on a centralized ops team.
So what’s the catch? Out of the box the only tool Cloud Foundry provides for managing user and permissions is the CF CLI. Although incredibly useful, the cli restricts access to user management commands to only admin level users. This essentially ignores the Org and Space level manager roles which a user may have. In addition, user management through the cli is a multi-step process requiring multiple commands to accomplish most tasks. As our utilization of Cloud Foundry grew, we quickly found that relying on the command line interface to add users and configure multiple roles to individuals was a cumbersome task, which was taking increasingly more time. More importantly it was actually an anti-pattern to the DevOps goals we were trying to achieve.
Although the cli doesn’t allow users to take full advantage of CF’s role functionality, all the necessary mechanisms to do so are still available under the hood. With CF-Users we created a web-ui which ties into these mechanisms and exposes them in a secure way to the development teams. In addition to moving user management from an ops role back to the teams, the number of steps required to manage users is also greatly reduced by offering the ability to simultaneously add a user and configure permissions. This takes what is a multistep process at the command line and reduces it to one form of entry and submittal, which greatly reduces the steps needed to add a user.
CF-Users also offers two different workflows for modifying a user’s roles within Cloud Foundry, allowing assignment of roles from the most convenient perspective needed. For instance, if a new organization or space has been added, the User Role Admin page may be used to assign roles to multiple users at that level without the need to navigate several web pages. Conversely, if only one user needs permissions added, the Edit User screen may be used to assign multiple roles for that user. Efficiency is greatly improved, simplifying the process to a few mouse clicks.
Using the application
Organization managers and space managers both may add users with CF-Users. However, organization managers may only assign roles within organizations that that they manage. Likewise, space managers may only assign roles within spaces that they manage. Adding a user is as easy as entering the username and optionally password (depending on the type of user account created), select roles for the user, and click the Create User button.
This screen allows organization managers and space managers to modify the privileges assigned to users. The user roles may be selected or deselected by clicking the appropriate checkboxes. The privileges are updated as these checkboxes are clicked and feedback is given with a Growl message when the action is completed.
User Role Admin
This screen allows privilege modification from the perspective of the organization and the spaces rather than from the user perspective. This is accomplished by allowing the selection of the organization and/or space and displaying a list of users who can be assigned roles at the chosen level. As with edit user, the privileges are updated as the checkboxes are clicked and feedback is given with a Growl message when the action is completed.
If you would like to deploy CF-Users yourself, go to the github page to download and deploy it. If you have any enhancements you would like to contribute, submit a pull request. We welcome enhancements to this project to make it more effective and improve efficiency of user administration.